Method for predicting the identity of a user associated to an anonymous browsing session on an online service

ABSTRACT

The present description relates to a method for predicting the identity of a user associated to an anonymous browsing session on an online service, comprising the steps of: providing a traffic inspector in signal communication with at least one client device for internet browsing and with a web server having an online service residing therein; providing a traffic analyzer in signal communication with the traffic inspector; identifying each browsing session of the client device on the online service; analyzing the traffic exchanged between the client device and the web server to extract and identify at least one username when a user performs authentication to the online service; collecting first characteristic data concerning unique and/or non-unique technical parameters and associating them with a respective identified username; storing the first characteristic data associated with each identified username in a database; identifying each anonymous browsing session of the client device on the online service; collecting second characteristic data concerning unique and/or non-unique technical parameters and associating them with the anonymous browsing session; comparing, by means of a user prediction algorithm the first characteristic data concerning each identified username with the second characteristic data concerning the anonymous session to associate an identified username with the anonymous browsing session in case of similarity or substantial coincidence between the first characteristic data and the second characteristic data so compared.

FIELD OF APPLICATION

The present description relates to a method for predicting the identityof a user associated to an anonymous browsing session on an onlineservice, and optionally of monitoring and protecting access to an onlineservice from account take over. In particular, the present inventionrelates to a method of monitoring and protecting access to a web ormobile application.

The present description relates to a method of monitoring and protectingaccess to an online service from account take over as well as to amethod of monitoring and protecting access to a web or mobileapplication against cyber attacks by malware, for example of theMan-in-the-Browser and/or Man-in-the-Middle and/or Bot Attack type,aimed at the theft of user credentials or so-called Account Take Over,abbr.: ATO.

DESCRIPTION OF THE TECHNICAL BACKGROUND

The use of antivirus software to counter computer attacks is known inthe state of the art, also of the Man-in-the-Browser and/orMan-in-the-Middle and/or Bot Attack type.

For example, Man-in-the-Browser is an attack category consisting ofdirectly manipulating the web browser in order to modify the contentnormally displayed by the user when visiting a website.Man-in-the-Browser (MitB) attacks are performed using malware installedon the user’s computer without their knowledge. Such malware (e.g.,Proxy Trojan horse) interact with the memory of web browser processes,so as to redirect the normal flow of system calls (used by the webbrowser) to malware features which are intended, for example, to injectadditional HTML code into the downloaded web page. It should be notedthat, in the case of a Man-in-the-Browser attack, the connection is tothe original web server of the attacked site, making it extremelydifficult to detect the attack. Therefore, the web browser and webapplication are unable to locate the content which the malware has addedto the content actually downloaded from the web server. Several types ofMan-in-the-Browser attacks have been detected, including the theft ofcredit card codes from e-banking and e-commerce sites and the executionof fraudulent economic transactions often initiated automaticallywithout user interaction.

In detail, when a user requests a web page (i.e., web application)through a web browser, the web server on which the web page residessends an HTML source code (DOM Document Object Model) to the webbrowser. The DOM code is passed to the web browser rendering engine inorder to be displayed by the user. For example, in the case of a PCinfected with malware, the DOM code which the web browser receives fromthe web server is modified by the malware before being processed by theweb browser rendering engine. In fact, the malware injects an additionalcode (e.g., script) into the DOM code received by the web server so asto modify the content displayed by the user. Malware changes to DOM codedownloaded from the web server are changes to HTML code and/orJavaScript, and/or another web content or resource. That is, the webbrowser is connected to the original web server while the malware causeschanges to the downloaded DOM code. Such modifications may includegraphic and/or behavioral alterations. Therefore, the user displays aweb page with modified behavior and/or graphical representation withrespect to the web page originally requested by the client. The clientinadvertently gives access to their personal data or authorizesfraudulent actions against them.

By way of example, in the banking world, the computer infected withmalware normally connects to the online banking site with HTTP protocol,downloading the data from the web page. However, this data is altered inreal time by the malware, adding scripts which allow to request theuser’s access data to the online banking web page.

A further example is Bot Attack, as illustrated in FIG. 1 . Such attackstake the form of page requests from an automatic system, rather thanfrom a human person. This can result in very high bandwidth consumptionfor the service provider. In addition, the automatic systems could usethe service in an undesirable and illegal manner. Known examples are webscraping (i.e., extraction of data from the web service) or carding(i.e., in the validation phase of stolen credit cards), or brute-forcelogin (i.e., an attempt to search for a user’s credentials on the loginpage of a web application).

Operating malware on mobile devices could be of the types describedabove or could be other specific types. For example, Overlay malwarecould display a graphical interface which is identical or similar to alegitimate mobile application related to a service which requirescredentials. A user could be unable to distinguish the legitimateapplication from the malicious Overlay application and enter theirservice credentials within the latter. Thereafter, the Overlayapplication could send the credentials to a malicious entity over aconnection (e.g., WiFi, 3G, 4G, and 5G).

The aforementioned malware, as already stated, may be used to stealsensitive data from the user, such as access credentials to an onlinebanking site. Under these circumstances, the malware prevents the userfrom logging in to the online banking site. In fact, the credentialsentered by the user who believes to be regularly accessing the onlinebanking platform are instead provided to the malware which simulated theaccess interface to the site and which engages the user by recreating anemulation of the online banking web page. Once this data is stolen fromthe user, the malware may send the collected credentials to an imposter.Parallel to the open session in which the unauthenticated user isoperating, the imposter opens a new page where he enters the user’scredentials for authentication. Once authenticated, the imposter canfreely organise the account of the unsuspecting user, initiatingfraudulent operations. This type of technique is referred to in theindustry as Account Take Over (ATO), as the imposter takes control ofthe account by acting in the user’s place without encountering any sortof hindrance. Furthermore, the attack could continue if the impostermanages to further exploit the malware-infected open session to obtainother sensitive data from the user, such as higher level logincredentials necessary to carry out large money transactions.

Furthermore, it should be noted that an imposter could carry out anAccount Take Over attack without using Malware. Such an attack couldemploy techniques known as phishing. For example, the imposter couldinduce a user to browse to a site identical to that of the authenticatedonline service. A technique could take advantage of sending an emailwith graphics similar to that of an official entity containing a link tothe malicious phishing site. The unknowing user could be unable todistinguish the legitimate site from the malicious one and enter theircredentials in the latter. The malicious site is controlled by theimposter, so the credentials are recorded or sent directly to theimposter. Subsequently, the imposter may use the collected credentialsto authenticate with the online service and freely carry out theoperations.

There are known techniques aimed at identifying such phishing attackswhich include inserting resources within a site, such as an image. Sincethe imposter could copy the entire website to a phishing servercontrolled thereby, such resources could remain unchanged on thefraudulent site. When the fraudulent site is viewed in a web browser,these resources are downloaded from the original server since, in themeantime, they have remained unchanged. Thereby, by analyzing therequests to the original server it is possible to highlight a phishingattack through the presence of resource requests from a site other thanthe legitimate one.

A method of monitoring and protecting access to an online service fromaccount take over is described in US2018/033089A1. Such a method firstacquires the access data to the online service, and by processing theaccess data with one or more predictive models it is able to assign oneor more risk scores to the browsing session. The method subsequentlyincludes performing one or more risk reduction actions as a function ofthe one or more risk scores attributed to the monitored session.

A method for detecting security risks on a computer based on theanalysis of previous communications is described in US2018/152471A1.

Problems of the Background Art

The known systems allow to detect and possibly block the action ofmalware. See for example EP 3 021 550 A1 and EP 3 021 551 A1 describing,respectively, a malware detection method and a malware protectionmethod.

However, in the case described above, it is not possible to know theidentity of the user who, unaware of having been attacked by themalware, has not authenticated. In the scenario with malware in asession which is not yet authenticated, the prior art allows to identifythe presence of the malware, but it is not possible to know to whom thatinfected session belongs. As a result, the malware has the ability torecover sensitive session data by forwarding it to an imposter who willopen a new session, identifying himself with the data just stolen. Thenew session is then recognized as valid because it is authenticated. Asanticipated before, the new session is opened using data stolen from theuser with the so-called account take over technique.

Therefore, when the imposter opens a new session of the online bankingplatform and logs in regularly, already being provided with the correctcredentials of the unsuspecting user, nothing can be done to prevent hisfraudulent conduct against the user.

Furthermore, the techniques used to identify phishing attacks do notallow to associate the affected user with the identified phishingattack.

SUMMARY OF THE INVENTION

The object of the invention in question is to obtain a method forpredicting the identity of a user associated to an anonymous browsingsession on an online service, and optionally of monitoring andprotecting access to an online service able to overcome the drawbacks ofthe prior art.

A further object of the present invention is to obtain a method ofmonitoring and protecting access to an online service, such as a web ormobile application, which allows to protect the user from Account TakeOver-type attacks.

Advantages of the Invention

By virtue of an embodiment, a method can be implemented which allowsmonitoring and protecting access to an online service, such as a web ormobile application, from Account Take Over attacks, reducing the risk offraud against the user.

By virtue of a further embodiment, it is possible to obtain a methodwhich allows to recognize one or more possible users hidden behind ananonymous browsing session of the web or mobile application attacked bymalware, so as to be able to protect authenticated browsing sessionsformally initiated by such users, but potentially by an imposter who hasstolen the user’s credentials.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the present invention will becomeapparent from the following detailed description of a possible practicalembodiment thereof, illustrated by way of non-limiting example in theaccompanying drawings, in which:

FIGS. 1 and 2 show a system 100 in which a first embodiment of themethod of the present invention can be applied;

FIG. 3 shows a flow chart of a sequence of steps of an embodiment of themethod according to the first embodiment of the present invention;

FIG. 4 shows a flow chart of a further sequence of steps of the exampleof FIG. 3 ;

FIG. 5 shows a flow chart of a further sequence of steps of the exampleof FIGS. 3 and 4 ;

FIG. 6 shows a system 100 in which a second embodiment of the method ofthe present invention can be applied.

DETAILED DESCRIPTION

Even if not explicitly highlighted, the individual features describedwith reference to the specific embodiments shall be understood asaccessory and/or interchangeable with other features, described withreference to other embodiments.

The present invention relates to a method for predicting/estimating theidentity of a user associated to an anonymous browsing session on anonline service, and optionally of monitoring and protecting access to anonline service from account take over. In particular, the object of thepresent invention is a method of monitoring and protecting the accountof a user from an attack by an imposter F, for example with the use ofmalware M, aimed at the theft of user credentials for accessing theonline service.

Within the scope of the present invention, an online service is a weband mobile service or application which requires credentials to besecurely used by a user. A widespread online service relates to online,web or mobile banking platforms, which allow registered andauthenticated users to carry out financial operations online, such asfinancial transactions. Specifically, a home banking service where auser can make a bank transfer after authenticating with credentials, forexample username and password and optionally a temporary token.

In the attached FIGS. 1 and 2 , the number 100 refers to a system inwhich a first embodiment of the method of the present invention can beapplied. In other words, the system 100 is referred to as a networkenvironment, clearly consisting of devices and network components forhardware-type internet browsing, such as servers, databases andprocessing units, in which the first embodiment of the method of thepresent invention can be applied.

The method comprises the step of providing a traffic inspector 1 insignal communication with at least one client device 2 for internetbrowsing and with a web server 4 having an online service residingtherein.

Within the scope of the present invention, a client device 2 means adevice for internet browsing placed in signal communication with the webserver 4. The client device 2 is capable of sending requests to the webserver 4 and receiving responses through an internet network. The clientdevice 2 may be a tablet, a laptop computer, a desktop computer, a smartTV, a smartwatch, a smartphone, or any other device capable ofprocessing, communicating with a web server 4, and displaying contentobtained from the web server 4, or content already present within theclient device 2. The content could be viewed from a browser or othertypes of software. Such content could be in HTML, JavaScript, or othersimilar formats of a known type. Furthermore, the client device 2 couldcontain known operating systems such as Android, iOS, or MicrosoftWindows.

Preferably, a web browser 3 resides in the client device 2 if the clientdevice 2 is a computer, or a mobile application if the client device 2is for example a smartphone or tablet.

Hereinafter, for brevity of presentation, reference will only be made tothe exemplary case of the web browser 3 residing in the client device 2.

The method further comprising the step of providing a traffic analyzer 5in signal communication with the traffic inspector 1.

Within the scope of the present invention, traffic inspector 1 means aninline device on web traffic between each client device 2 and the webserver 4 having an online service residing therein. Therefore, thetraffic inspector 1 is capable of intercepting the followingcommunication information: IP address of an HTTP request, cookies,headers and the body of the same HTTP request. The traffic inspector 1is preferably a hardware device, having software components residingtherein, configured to generate a unique code and enter it in a cookiewithin the response to the HTTP request. More preferably, the trafficinspector 1 is configured to modify the DOM code of a web page by addingthe code necessary to generate and send a fingerprint. Furthermore, thetraffic inspector 1 is configured to send all the information collectedduring each user’s browsing sessions on the online service residing inthe web server 4 to the traffic analyzer 5.

Within the scope of the present invention, traffic analyzer 5 means ahardware device, having software components such as algorithms 7, 8, 9,10 residing therein for: extracting the username from the informationreceived by the traffic inspector 1 (extraction algorithm 10);associating the username with the unique information of the HTTP requestfrom which it was extracted, such as IP, and UUID entered in a cookie;estimating the username which generated the HTTP request if said requestdoes not contain actual credentials, the estimate being based on theunique information present in the HTTP request associated with theestimated usemame(s) (user prediction algorithm 7); identifying anaccount take over attack (detection algorithm 8); protecting the user inthe event of an attack (protection algorithm 9). Furthermore, thetraffic analyzer 5 preferably comprises a database 6 for storing suchassociations A between username and unique information such as, forexample, IP and UUID.

It should be noted that, according to a preferred solution of theinvention, the traffic analyzer 1 and the traffic inspector 5 can beimplemented in a single machine (or electronic device) which, therefore,is capable of carrying out the activities of the traffic analyzer 1 andthe traffic inspector 5 with the same methods described herein.

The method comprising the step of identifying each browsing session ofthe client device 2, and preferably the web browser 3, on the onlineservice by the traffic inspector 1.

The method also comprises the step of analyzing the traffic exchangedbetween the client device 2 and the web server 4, and preferably betweenthe web browser 3 and the web server 4, by the traffic analyzer 5 toextract and identify at least one username when a user performsauthentications to the online service.

In other words, the architecture based on traffic inspector 1 andtraffic analyzer 5 allows monitoring web/mobile application traffic.

Furthermore, the method comprises the step of collecting by the trafficinspector 1 first characteristic data concerning unique and/ornon-unique technical parameters and associating the first characteristicdata with a respective identified username by the traffic analyzer 5.

The method comprises the step of storing the first characteristic dataassociated with each identified username in a database 6 associated withthe traffic analyzer 5.

The method further comprises the step of identifying each anonymousbrowsing session of the client device 2, and preferably the web browser3, on the online service by the traffic analyzer 5.

Within the scope of the present invention, an anonymous browsing sessionis an unauthenticated browsing session of an online service.

The method also comprises the step of collecting, by the trafficinspector 1, second characteristic data concerning unique and/ornon-unique technical parameters and associating, by the traffic analyzer5, the second characteristic data with the anonymous browsing session.

The method comprises the step of comparing by means of a user predictionalgorithm 7 residing in the traffic analyzer 5 the first characteristicdata concerning each identified username with the second characteristicdata concerning the anonymous session to associate an identifiedusername with the anonymous browsing in case of similarity orsubstantial coincidence between the first characteristic data and thesecond characteristic data so compared. That is, the method includesassociating a set of possible users with the anonymous browsing sessionby means of a user prediction algorithm 7, which analyzes the set oftechnical parameters collected on the session and compares them with thehistory of previously collected, analyzed, or monitored authenticatedparameters and sessions.

Preferably, the method comprises the step of analyzing by means of adetection algorithm 8 residing in the traffic analyzer 5 each anonymousbrowsing session associated with one or more identified usernames toenter each username associated with the anonymous browsing session inwhich a situation involving a risk of credential theft has been detectedin a watch list. In other words, the method includes identifying thepresence of technical risks and not, for example, the presence ofmalware in a browsing session which has not yet been authenticated butwith predicted users in the previous step of comparison with the userprediction algorithm 7, by means of continuous monitoring beforeauthentication. If risks are present, the predicted and at-risk usersare entered in the watch list.

Preferably, the method comprises the step of monitoring the browsingsessions at risk associated with each username in the watch list whenthe respective user further performs authentication to the onlineservice. In addition, this step involves identifying an account takeover attack by the client device 2 when the anonymous browsing sessionand the subsequent authenticated session associated with the sameusername entered in the watch list are close in time. Furthermore, thisstep involves protecting access to the online service when an accounttake over risk is identified.

According to a preferred form of the invention, the step of monitoringthe browsing sessions associated with each username in the watch listcomprises the sub-steps of:

-   identifying by means of the detection algorithm 8 the browsing    sessions at risk associated with each username in the watch list    when the respective user performs authentication to the online    service;-   protecting the browsing sessions at risk using a protection    algorithm 9 residing in the traffic analyzer 5.

Preferably, the step of protecting the browsing session at risk usingthe protection algorithm 9 comprises the step of locking the username ofthe user associated with the browsing session at risk or executing aStrong Customer Authentication algorithm for the username of the userassociated with the browsing session at risk or executing a Multi-FactorAuthentication algorithm for the username of the user associated withthe browsing session at risk. That is to say, when the method identifiesa browsing session associated with an authenticated user, if such a useris present in the watch list of users at risk generated by the detectionalgorithm 8, the protection algorithm 9 triggers protection mechanismssuch as, for example, user lockout, SCA, MFA, and/or reportingmechanisms to other systems or users. For example, the method mayinclude a step of generating a warning P by the traffic analyzer 5 tosignal the warning to the attacked user or to other systems or to otherusers.

Preferably, the step of monitoring the browsing sessions associated witheach username in the watch list comprises the step of generating a risksignal indicative of the presence of a possible threat associated withthe malware attack in the browsing session at risk.

According to a preferred solution, the method comprising the step ofremoving a username from the watch list when the detection algorithm 8detects that the malware attack has ended. It should be noted that it ispossible to establish predefined criteria such that the detectionalgorithm 8 is capable of detecting if the attack is over.

Preferably, the step of removing a username from the watch listcomprises the step of removing a username from the watch list when apredefined time interval has elapsed from the moment when the detectionalgorithm 8 has detected that the malware attack is over. That is tosay, the username is automatically removed from the watch list when therisk condition expires, for example using a fixed timer.

In accordance with a preferred form, the step of collecting, by thetraffic inspector 1, first characteristic data concerning unique and/ornon-unique technical parameters and associating, by the traffic analyzer5, the first characteristic data with a respective identified usernamecomprises the sub-step of collecting, by the traffic inspector 1, firstcharacteristic data concerning one or more of unique technicalparameters, non-unique technical parameters, endpoints (e.g.,fingerprint), networks (e.g., IP) and browsers (e.g., tracking andmarking cookies). That is, this sub-step includes that the methodassociates the identified username and all the unique technicalparameters and not the authenticated browsing session. Furthermore, thestep of collecting, by the traffic inspector 1, second characteristicdata concerning unique and/or non-unique technical parameters andassociating, by the traffic analyzer 5, the second characteristic datawith the anonymous browsing session comprises the sub-step ofcollecting, by the traffic inspector 1, second characteristic dataconcerning one or more of unique technical parameters, non-uniquetechnical parameters, endpoints (e.g., fingerprint), networks (e.g., IP)and browsers (e.g., tracking and marking cookies).

Preferably, the first characteristic data and the second characteristicdata comprise UUID and IP. It should be noted that in FIG. 2 the secondcharacteristic data are indicated with IP1 and UUID1.

With reference to the embodiment in which the traffic inspector 1 isconfigured to modify the DOM code of a web page by adding the codenecessary to generate and send a fingerprint, the code necessary togenerate a fingerprint preferably contains the instructions necessary tocapture some information which characterize an execution environment ofthe aforementioned code, such as for example the web browser 3 or amobile client device 2. More preferably, the code contains instructionsaimed at transforming the collected information, i.e., the first andsecond characteristic data, into a compact format. The device whichexecutes these instructions contains instructions to send the collectedinformation to the traffic analyzer 5. Still preferably, theinstructions aimed at transforming the collected information into acompact format are executed both in the web browser 3 and within thetraffic inspector 1. When the instructions aimed at transforming thecollected information into a compact format are executed within the webbrowser 3, the code sends only the compact representation of thecollected information to the traffic analyzer 5. Still preferably, theinformation collected relates to the list of typographical sourcesinstalled within the device. More preferably, the information collectedis the screen size of the device. Although such information is notunique, it is distributed with sufficient rarity to allow theidentification of a client device 2 based on the same. On some devices,the characteristic information could relate to information availableonly in certain types of devices. For example, some mobile devices offernative serial numbers. Advantageously, such information offers evengreater guarantees regarding the uniqueness of the informationcollected. Furthermore, the code could capture further information thanpreviously stated. The traffic analyzer 5 stores such information in apermanent database 6 together with information about the user associatedwith the client device 2, as they become available. When the trafficanalyzer 5 receives the fingerprint information of a client device 2, itsearches within the permanent database 6 for information regarding theuser which has previously been associated with such fingerprintinformation. Thereby, the fingerprint information allows to hypothesizethe use of a device without it having been authenticated by entering thecredentials thereof, similar to what occurs with UUID and IP.

In accordance with a preferred solution, the step of monitoring thebrowsing sessions at risk associated with each username in the watchlist when the respective user performs further authentication to theonline service, comprises the sub-step of:

comparing by means of the detection algorithm 8 the first characteristicdata associated with a username in the watch list with the firstcharacteristic data collected by the traffic inspector 1 when therespective user performs further authentication to the online service toidentify the presence of any anomalies. In FIG. 2 , the firstcharacteristic data collected by the traffic inspector 1 when therespective user in the watch list performs further authentication to theonline service are indicated with IP2 and UUID2.

According to a preferred solution of the invention, the step ofcomparing, by means of the detection algorithm 8, the firstcharacteristic data associated with a username in the watch list withthe first characteristic data collected by the traffic inspector 1 whenthe respective user performs further authentication to the onlineservice to identify the presence of any anomalies, comprises thesub-step of:

generating a warning P when the first characteristic data associatedwith a username in the watch list differ from the first characteristicdata collected by the traffic inspector 1 when the respective userperforms further authentication to the online service.

In accordance with a preferred solution, the step of identifying eachbrowsing session of the client device 2, and preferably the web browser3, on the online service by the traffic inspector 1 comprises thesub-step of:

identifying each browsing session of the client device 2, and preferablythe web browser 3, on the online service by the traffic inspector 1using session cookies.

Preferably, the step of identifying each browsing session of the clientdevice 2, and preferably of the web browser 3, on the online service bythe traffic inspector 1, comprising the sub-step of intercepting, by thetraffic inspector 1, an HTTP request sent from the web browser 3 to theweb server 4. Furthermore, the step of analyzing the traffic exchangedbetween the web browser 3 and the web server 4 by the traffic analyzer 5to extract and identify at least one username when a user performsauthentication to the online service, comprises the step of extracting ausername from the HTTP request intercepted by the traffic inspector 1when a user performs authentication to the online service by means of anextraction algorithm 10 residing in the traffic analyzer 5 and based onregular expressions.

Advantageously, the method of the present invention allows to identifyany risks, including technical risks or an action for example in thecase of video on demand (VOD), deriving from an account take overattack.

Still advantageously, the method of the present invention allows toprovide a prediction of the identity of the user acting in an area whichis anonymous as it is not yet authenticated, generating by means of theuser prediction algorithm 7 a list of potential users which could behiding behind the anonymous browsing session. These users, in case arisk is detected in the related browsing session by means of thedetection algorithm 8, are entered in a watch list. In doing so, eachsubsequent authenticated browsing session by a user in the watch list iscontrolled, so that they can request additional access credentials bymeans of the protection algorithm 9 and possibly lock the session in theevent of a concrete threat.

Advantageously, the method of the present invention allows to identifyand prevent any account take over attacks carried out against registeredusers of an online service.

An exemplary application of the method of the present invention isdescribed below, with particular reference to the sequences of stepsillustrated in FIGS. 3, 4 and 5 .

With particular reference to FIG. 3 , the step of identifying eachbrowsing session of the web browser 3 on the online service by thetraffic inspector 1 includes:

sub-step 301 in which the user requests a web page by means of a webbrowser 3 which sends an HTTP request to the web server 4.

The step of analyzing the traffic exchanged between the web browser 3and the web server 4 by the traffic analyzer 5 to extract and identifyat least one username when a user performs authentications to the onlineservice includes:

-   sub-step 302 in which the traffic inspector 1 reads the    configuration keys and searches for a particular UUID in the HTTP    request;-   sub-step 303 of determining whether a UUID is present in the HTTP    request;-   sub-step 304 to obtain the UUID, if present;-   sub-step 305 to add a UUID to the HTTP request if not present, and    sub-step 306 to store the UUID in the web browser 3;-   sub-step 307 in which the traffic inspector 1 sends the HTTP request    to the traffic analyzer 5;-   sub-step 308 in which the traffic analyzer 5 searches for username    information in the HTTP request and obtains information about IPs    present in the HTTP request.

The step of collecting, by the traffic inspector 1, first characteristicdata concerning unique and/or non-unique technical parameters andassociating, by the traffic analyzer 5, the first characteristic datawith a respective identified username, includes:

-   sub-step 309 to check if there is a username in the HTTP request;-   sub-step 310 in which the traffic analyzer 5 searches for usernames    already associated with the UUID received;-   sub-step 311 in which the traffic analyzer 5 searches the database 6    for usernames already associated with received IPs.

The step of storing the first characteristic data associated with eachusername identified in a database 6 associated with the traffic analyzer5 includes:

-   if the username is present in the HTTP request, sub-step 312 in    which the traffic analyzer 5 stores the associations A detected    between username and IP, and stores the associations A detected    between username and UUID in the database 6;-   sub-step 313 in which the traffic analyzer 5 joins the usernames    according to predefined rules and produces a refined list of    usernames.

With particular reference to FIGS. 4 and 5 , sub-step 307 in which thetraffic inspector 1 sends the UUID and the HTTP request to the trafficanalyzer 5, includes:

-   sub-step 401 in which the traffic inspector 1 sends legitimate UUIDs    and IPs to the traffic analyzer 5 and sends the legitimate HTTP    request to the traffic analyzer 5, where legitimate means that it is    an authenticated, secure and user-managed browsing session;-   sub-step 402 in which the traffic inspector 1 sends the imposter    UUID and IP to the traffic analyzer 5 and sends the imposter HTTP    request to the traffic analyzer 5.

The step of comparing by means of a user prediction algorithm 7 residingin the traffic analyzer 5 the first characteristic data concerning eachidentified username with the second characteristic data concerning theanonymous session to associate an identified username with the anonymousbrowsing session in case of similarity or substantial coincidencebetween the first characteristic data and the second characteristic dataso compared, includes:

sub-step 403 in which the traffic analyzer 5 estimates the possiblelegitimate username behind the anonymous browsing session as a functionof UUID, IP and user prediction algorithm 7.

The step of collecting, by the traffic inspector 1, first characteristicdata concerning unique and/or non-unique technical parameters andassociating, by the traffic analyzer 5, the first characteristic datawith a respective identified username, includes:

sub-step 404 in which the traffic analyzer 5 extracts information aboutthe username from the HTTP request concerning the authenticated browsingsession, subsequent to the anonymous session in which the username ofthe same user was predicted in sub-step 403.

The step of generating a warning P when the first characteristic dataassociated with a username in the watch list differ from the firstcharacteristic data collected by the traffic inspector 1 when therespective user performs further authentication to the online service,includes:

-   sub-step 405 in which the traffic analyzer 5 determines whether UUID    and IP are unusual for the username;-   if it determines that UUID and IP are unusual 406, sub-step 407 in    which the traffic analyzer 5 determines whether the estimated    legitimate username of the anonymous session is the same one    extracted from the imposter’s authenticated HTTP request;-   if the username is the same 408, sub-step 409 in which the traffic    analyzer 5 determines whether the two requests have occurred in a    limited time interval;-   if the first anonymous and then authenticated sessions of the same    user are close 410, i.e., if they occurred in a limited time    interval, sub-step 411 in which the traffic analyzer 5 establishes    that the imposter’s request is fraudulent.

Sub-step 405 includes:

-   sub-step 501 to check if the username is present in the HTTP    request;-   sub-step 502 in which the traffic analyzer 5 searches if    associations A between username and UUID are stored in the database    6;-   sub-step 503 in which the traffic analyzer 5 searches if    associations A between username and IP are stored in the database 6;-   if the association A between username and UUID 504 is not detected    and/or if the association A between username and IP 505 is not    detected, sub-step 506 in which the traffic analyzer 5 generates a    warning P.

A second embodiment, alternative or combinable with the previous one(see the third embodiment described below), of the method according tothe present invention from account take over is described below.

In the attached FIG. 6 , the number 100 refers to a system in which afirst embodiment of the method of the present invention can be applied.In other words, the system 100 is referred to as a network environment,clearly consisting of devices and network components for hardware-typeinternet browsing, such as servers, databases and processing units, inwhich the second embodiment of the method of the present invention canbe applied.

In accordance with the second embodiment, the method for predicting theidentity of a user associated to an anonymous browsing session on anonline service, , comprises the step of providing a traffic inspector 1in signal communication with at least one client device 2 for internetbrowsing and with a web server 4 having an online service residingtherein.

The method also comprises the step of providing a traffic analyzer 5 insignal communication with the traffic inspector 1.

Furthermore, the method comprises the step of identifying each browsingsession of the client device 2 on the online service by the trafficinspector 1.

The method comprises the step of analyzing the traffic exchanged betweenthe client device 2 and the web server 4, by the traffic analyzer 5 toextract and identify at least one username when a user performsauthentications to the online service.

In addition, the method comprises the step of collecting by the trafficinspector 1 first characteristic data concerning unique and/ornon-unique technical parameters and associating the first characteristicdata with a respective identified username by the traffic analyzer 5.

The method comprises the step of storing the first characteristic dataassociated with each identified username in a database 6 associated withthe traffic analyzer 5-

The method further comprises the step of identifying each anonymous webbeacon generated by the client device 2 on the online service by thetraffic analyzer 5, the web beacon indicating that the client device 2has initiated a fraudulent browsing session on a phishing web server 11.

Within the scope of the present invention, web beacons means an elementincluded in a web page intended to monitor the actual display of thepage by a user. For example, a web beacon could be an image or anothertype of static resource referenced by the web page. When the userobtains the web page from the web server 4 by means of a request, thebeacons are not sent directly. When the page is displayed within theuser’s client device 2, for example through a web browser 3, the beaconsreferenced within the web page are requested from the web server 4.Therefore, it is possible to identify whether the online service pagehas actually been displayed on the client device 2 by checking in theregister of requests to the web server 4 whether requests for beaconshave been sent. A web beacon could be a resource already on the page(for example, a logo or other graphic elements). Or it could be animage, for example an image consisting of a single transparent pixelinserted specifically in order to ensure monitoring. These resourcescomprise a reference consisting of a unique name within the web page.

Furthermore, the method comprises the step of collecting by the trafficinspector 1 third characteristic data concerning unique and/ornon-unique technical parameters and associating the third characteristicdata with the anonymous web beacon via the traffic analyzer 5.

The method comprises the step of comparing by a user predictionalgorithm 7 residing in the traffic analyzer 5 the first characteristicdata concerning each identified username with the third characteristicdata concerning the anonymous web beacon to associate the anonymous webbeacon with an identified username in case of similarity or substantialcoincidence between the first characteristic data and the thirdcharacteristic data so compared.

Preferably, the method further comprises the step of analyzing by adetection algorithm 8 residing in the traffic analyzer 5 each anonymousweb beacon associated with one or more identified usernames to entereach username associated with the anonymous web beacon in which asituation involving risk of credential theft following a phishing attackis detected in a watch list.

Preferably, the method comprises the step of monitoring the browsingsessions at risk associated with each username in the watch list whenthe respective user performs further authentication to the onlineservice. In addition, this step involves identifying an account takeover attack by the client device 2 when the anonymous browsing sessionand the subsequent authenticated session associated with the sameusername entered in the watch list are close in time. Furthermore, thisstep involves protecting access to the online service when an accounttake over risk is identified.

According to a preferred form, the step of monitoring the browsingsessions associated with each username in the watch list comprises thesub-steps of:

-   identifying by means of the detection algorithm 8 the browsing    sessions at risk associated with each username in the watch list    when the respective user performs authentication to the online    service;-   protecting the browsing sessions at risk using a protection    algorithm 9 residing in the traffic analyzer 5.

Preferably, the step of protecting the browsing session at risk usingthe protection algorithm 9 comprises the step of locking the username ofthe user associated with the browsing session at risk or executing aStrong Customer Authentication algorithm for the username of the userassociated with the browsing session at risk or executing a Multi-FactorAuthentication algorithm for the username of the user associated withthe browsing session at risk.

Preferably, the step of monitoring the browsing sessions associated witheach username in the watch list comprises the step of generating a risksignal indicative of the presence of a possible threat associated withthe phishing attack in the browsing session at risk.

According to a preferred form, the method comprises the step of removinga username from the watch list when the detection algorithm 8 detectsthat the phishing attack is over.

Preferably, the step of removing a username from the watch listcomprises the step of removing a username from the watch list when apredefined time interval has elapsed from the moment when the detectionalgorithm 8 has detected that the malware attack is over.

In accordance with a preferred solution, the step of collecting, by thetraffic inspector 1, first characteristic data concerning unique and/ornon-unique technical parameters and associating, by the traffic analyzer5, the first characteristic data with a respective identified usernamecomprises the sub-step of collecting, by the traffic inspector 1, firstcharacteristic data concerning one or more of unique technicalparameters, non-unique technical parameters, endpoints, networks andbrowsers. Preferably, the step of collecting, by the traffic inspector1, third characteristic data concerning unique and/or non-uniquetechnical parameters and associating, by the traffic analyzer 5, thethird characteristic data with the anonymous web beacon, comprises thesub-step of collecting, by the traffic inspector 1, third characteristicdata concerning one or more of unique technical parameters, non-uniquetechnical parameters, endpoints and browsers.

Preferably, the first characteristic data and the third characteristicdata comprise UUID and IP.

According to a preferred form, the step of monitoring the browsingsessions at risk associated with each username in the watch list whenthe respective user performs further authentication to the onlineservice, comprises the sub-step of comparing, by the detection algorithm8, the first characteristic data associated with a username in the watchlist with the first characteristic data collected by the trafficinspector 1 when the respective user performs further authentication tothe online service to identify the presence of any anomalies.

According to a preferred solution, the step of comparing, by thedetection algorithm 8, the first characteristic data associated with ausername in the watch list with the first characteristic data collectedby the traffic inspector 1 when the respective user performs furtherauthentication to the online service to identify the presence of anyanomalies, comprises the sub-step of generating a warning P when thefirst characteristic data associated with a username in the watch listdiffer from the first characteristic data collected by the trafficinspector 1 when the respective user performs further authentication tothe online service.

Preferably, the step of identifying each generated anonymous web beaconof the client device 2 on the online service by the traffic analyzer 5,comprises the step of identifying each generated anonymous web beacon ofthe client device 2 on the online service by the traffic analyzer 5using session cookies.

According to a preferred form, the step of identifying each browsingsession of the client device 2 on the online service by the trafficinspector 1, comprising the sub-step of intercepting by the trafficinspector 1 an HTTP request sent by a web browser 3 residing in theclient device 2 to the web server (4). Preferably, the step of analyzingthe traffic exchanged between the client device 2 and the web server 4by the traffic analyzer 5 to extract and identify at least one usernamewhen a user performs authentication to the online service, comprises thestep of extracting a username from the HTTP request intercepted by thetraffic inspector 1 when a user performs authentication to the onlineservice by means of an extraction algorithm 10 residing in the trafficanalyzer 5 and based on regular expressions.

According to a preferred form, the method comprises the step ofmodifying the online service by inserting a web beacon therein. For thepurpose of searching for phishing sites, it is important that theresources constituting the web beacon are entered in site locationswhich are difficult to identify by the imposter F, to prevent them frombeing removed during the cloning operation of the legitimate site.

Preferably, the web beacon comprises an HTTP request from a resourceresiding within the web server 4. Preferably, the step of identifyingeach generated anonymous web beacon of the client device 2 on the onlineservice by the traffic analyzer 5 comprises the sub-step of interceptingby the traffic inspector 1 each HTTP request associated with ananonymous web beacon. Still preferably, the step of collecting by thetraffic inspector 1 third characteristic data concerning unique and/ornon-unique technical parameters and associating by the traffic analyzer5 the third characteristic data with the anonymous web beacon; comprisesthe sub-step of sending by the traffic inspector 1 the thirdcharacteristic data to the traffic analyzer 5, the third characteristicdata being associated with unique and/or non-unique technical parameterscharacteristic of the request associated with the anonymous web beacon.

Preferably, the step of analyzing by means of a detection algorithm 8residing in the traffic analyzer 5 each anonymous web beacon associatedwith one or more identified usernames to enter each username associatedwith the anonymous web beacon in which a situation involving risk ofcredential theft following phishing in a watch list, comprises thesub-steps of:

-   analyzing whether each HTTP request intercepted by the traffic    inspector 1 and concerning a web beacon associated with a username    comes from the legitimate domain of the online service;-   generating a warning P when an HTTP request does not come from the    legitimate domain of the online service.

More preferably, the step of generating a warning P when an HTTP requestdoes not come from the legitimate domain of the online service comprisesthe step of sending the warning P to the user holding the usernameassociated with the web beacon concerning the HTTP request not comingfrom the legitimate domain of the online service.

Advantageously, the user accesses the malicious site from an IP and/orwith a UUID typically associated with the username thereof. Suchcharacteristic information is transported within resource requests madeto the legitimate server. They can thereby be intercepted by the trafficinspector 2 and sent to the traffic analyzer 5. The traffic analyzer 5is capable of analyzing the requests and detecting phishing attacksusing known art techniques. Furthermore, the traffic analyzer 5 iscapable of associating identified phishing attacks with an unidentifieduser using characteristic information such as IP and UUID associatedwith requests.

Preferably, the step of identifying each generated anonymous web beaconof the client device 2 on the online service by the traffic analyzer 5is performed by the detection algorithm 8.

The present invention also relates to a third embodiment of theinvention which includes the combination of the previous embodiments,i.e., a combination of the first embodiment with the second embodiment.

The third embodiment relates to a method for predicting the identity ofa user associated to an anonymous browsing session on an online service,and optionally of of monitoring and protecting access to an onlineservice from account take over. The method comprises the step ofproviding a traffic inspector 1 in signal communication with at leastone client device 2 for internet browsing and with a web server 4 havingan online service residing therein.

The method comprises the step of providing a traffic analyzer 5 insignal communication with the traffic inspector 1.

The method comprises the step of identifying each browsing session ofthe client device 2 on the online service by the traffic inspector 1.

Furthermore, the method comprises the step of analyzing the trafficexchanged between the client device 2 and the web server 4 by thetraffic analyzer 5 to extract and identify at least one username when auser performs authentication to the online service.

The method also comprises the step of collecting by the trafficinspector 1 first characteristic data concerning unique and/ornon-unique technical parameters and associating the first characteristicdata with a respective identified username by the traffic analyzer 5.

The method comprises the step of storing the first characteristic dataassociated with each identified username in a database 6 associated withthe traffic analyzer 5.

The method comprises the step of identifying by the traffic analyzer 5each anonymous application session and each anonymous virtual session ofthe client device 2 on the online service.

For each anonymous application session identified in the previous step,the method comprises the following steps:

-   identifying an anonymous browsing session of the client device 2 on    the online service by the traffic analyzer 5;-   collecting by the traffic inspector 1 second characteristic data    concerning unique and/or non-unique technical parameters and    associating by the traffic analyzer 5 the second characteristic data    with the anonymous browsing session;-   comparing by means of a user prediction algorithm 7 residing in the    traffic analyzer 5 the first characteristic data concerning each    identified username with the second characteristic data concerning    the anonymous session to associate an identified username with the    anonymous browsing in case of similarity or substantial coincidence    between the first characteristic data and the second characteristic    data so compared;-   preferably, analyzing by means of a detection algorithm 8 residing    in the traffic analyzer 5 each anonymous browsing session associated    with one or more identified usernames to enter each username    associated with the anonymous browsing session in which a situation    involving a risk of credential theft has been detected in a watch    list;

For each anonymous virtual session identified in the previous step, themethod comprises the following steps:

-   identifying each anonymous web beacon generated by the client device    2 on the online service by the traffic analyzer 5, the web beacon    indicating that the client device 2 has initiated a fraudulent    browsing session on a phishing web server 11;-   collecting by the traffic inspector 1 third characteristic data    concerning unique and/or non-unique technical parameters and    associating the third characteristic data with the anonymous web    beacon via the traffic analyzer 5;-   comparing by means of the user prediction algorithm 7 residing in    the traffic analyzer 5 the first characteristic data concerning each    identified username with the third characteristic data concerning    the anonymous web beacon to associate the anonymous web beacon with    an identified username in case of similarity or substantial    coincidence between the first characteristic data and the third    characteristic data so;-   preferably, analyzing by means of a detection algorithm 8 residing    in the traffic analyzer 5 each anonymous web beacon associated with    one or more identified usernames to enter each username associated    with the anonymous web beacon in which a situation involving risk of    credential theft following a phishing attack is detected in the    watch list.

Preferably, the method comprises the step of monitoring the browsingsessions at risk associated with each username in the watch list whenthe respective user further performs authentication to the onlineservice. In addition, this step involves identifying an account takeover attack by the client device 2 when the anonymous browsing sessionand the subsequent authenticated session associated with the sameusername entered in the watch list are close in time. Furthermore, thisstep involves protecting access to the online service when an accounttake over risk is identified.

It should be noted here that the steps and sub-steps described for thefirst and second embodiments may also be applied to the method of thethird embodiment, as the latter is a synergistic combination of the twopreceding embodiments. In particular, the steps and sub-steps concerningthe method of the first embodiment are applicable in the case ofanonymous application sessions, while the steps and sub-steps of themethod of the second embodiment are applicable in the case of virtualanonymous sessions.

Advantageously, by virtue of the method of the third embodiment it ispossible to intercept all the anonymous requests or web beaconsgenerated by the client device so as to be able to identify and preventany risks related, respectively, to credential theft attacks by malwareand/or phishing.

Obviously, in order to satisfy specific and contingent needs, a personskilled in the art may apply numerous changes to the variants describedabove, all without departing from the scope of protection as defined bythe following claims.

1. A method for predicting the identity of a user associated to ananonymous browsing session on an online service, comprising the stepsof: providing a Traffic Inspector in signal communication with at leastone client device for Internet browsing and with a web server having anonline service residing therein, providing a Traffic Analyzer in signalcommunication with the Traffic Inspector; identifying each browsingsession of the at least one client device on the online service by theTraffic Inspector; extracting and identifying at least one username bythe Traffic Analyzer when a user performs authentication to the onlineservice by analyzing the traffic exchanged between the at least oneclient device and the web server; collecting, by the Traffic Inspector,first characteristic data concerning unique and/or non-unique technicalparameters and associating, by the Traffic Analyzer, the firstcharacteristic data with the respective at least one identifiedusername; storing the first characteristic data associated with eachidentified username in a database associated with the Traffic Analyzer;identifying each anonymous browsing session of the at least one clientdevice on the online service by the Traffic Analyzer; collecting, by theTraffic Inspector, second characteristic data concerning unique and/ornon-unique technical parameters, and associating, by the TrafficAnalyzer, the second characteristic data with the anonymous browsingsession; associating an identified username with the anonymous browsingsession in case of similarity or substantial coincidence between thefirst characteristic data concerning each identified at least oneusername and the second characteristic data concerning the anonymoussession compared by means of a user prediction algorithm residing in theTraffic Analyzer.
 2. A method as claimed in claim 1, wherein the step ofcollecting, by the Traffic Inspector, first characteristic dataconcerning unique and/or non-unique technical parameters, andassociating, by the Traffic Analyzer, the first characteristic data witha respective identified username comprises the sub-step of: collecting,by the Traffic Inspector, first characteristic data concerning one ormore of unique technical parameters, non-unique technical parameters,endpoints, networks and browsers; the step of collecting, by the TrafficInspector, second characteristic data concerning unique and/ornon-unique technical parameters, and associating, by the TrafficAnalyzer, the second characteristic data with the anonymous browsingsession comprises the sub-step of: collecting, by the Traffic Inspector,second characteristic data concerning one or more of unique technicalparameters, non-unique technical parameters, endpoints, networks andbrowsers.
 3. A method as claimed in claim 2, wherein the firstcharacteristic data and the second characteristic data comprise UUID andIP.
 4. A method as claimed in claim 1, wherein the step of identifyingeach browsing session of the at least one client device on the onlineservice by the Traffic Inspector comprises the sub-step of: identifyingeach browsing session of the at least one client device on the onlineservice by the Traffic Inspector, using session cookies.
 5. A method asclaimed in claim 1, wherein the step of identifying each browsingsession of the at least one client device on the online service by theTraffic Inspector comprises the sub-step of: intercepting, by theTraffic Inspector a HTTP request sent by a web browser residing in theat least one client device to the web server; the step of extracting andidentifying at least one username by the Traffic Analyzer when a userperforms authentication to the online service comprises the sub-step of:extracting a username from the HTTP request intercepted by the TrafficInspector when a user performs authentication to the online serviceusing an extraction algorithm residing in the Traffic Analyzer and basedon regular expressions.
 6. A method as claimed in claim 1, furthercomprising the steps of: entering each username associated with theanonymous browsing session in which a situation involving a risk ofcredential theft has been detected in a watch list by analyzing, bymeans of a detection algorithm residing in the Traffic Analyzer, eachanonymous browsing session associated with one or more identifiedusernames; monitoring the browsing sessions at risk associated with eachusername in the watch list when its respective user further performsauthentication to the online service and identifying an Account TakeOver attack by the at least one client device and protecting access tothe online service when the anonymous browsing session and thesubsequent authenticated session associated with the same usernameentered in the watch list are close together in the time.
 7. A method asclaimed in claim 6, wherein the step of monitoring the browsing sessionsassociated with each username in the watch list comprises the sub-stepsof: identifying, by means of the detection algorithm, the browsingsessions at risk associated with each username in the watch list whenits respective user performs authentication to the online service;protecting the browsing sessions at risk using a protection algorithmresiding in the Traffic Analyzer.
 8. A method as claimed in claim 7,wherein the step of protecting the browsing session at risk using theprotection algorithm comprises the sub-step of: locking the username ofthe user associated with the browsing session at risk or executing astrong Customer Authentication algorithm for the username of the userassociated with the browsing session at risk or executing a Multi-FactorAuthentication algorithm for the username of the user associated withthe browsing session at risk.
 9. A method as claimed in claim 7, whereinthe step of monitoring the browsing sessions associated with eachusername in the watch list comprises the sub-step of: generating a risksignal indicative of a possible threat associated with a malware attackin the browsing session at risk.
 10. A method as claimed in claim 6,comprising the step of: removing a username from the watch list when thedetection algorithm detects that the malware attack is over.
 11. Amethod as claimed in claim 10, wherein the step of removing a usernamefrom the watch list comprises the sub-step of: removing a username fromthe watch list when a predetermined time interval has elapsed from thetime in which the detection algorithm has detected that the malwareattack is over.
 12. A method as claimed in claim 6, wherein the step ofmonitoring the browsing sessions at risk associated with each usernamein the watch list when the respective user performs furtherauthentication to the online service comprises the sub-step of:comparing, by means of the detection algorithm, the first characteristicdata associated with a username in the watch list with the firstcharacteristic data collected by the Traffic Inspector when therespective user performs further authentication to the online service toidentify any anomalies.
 13. A method as claimed in claim 12, wherein thestep of comparing, by means of the detection algorithm, the firstcharacteristic data associated with a username in the watch list withthe first characteristic data collected by the Traffic Inspector whenthe respective user performs further authentication to the onlineservice to identify any anomalies, comprises the sub-step of: generatinga warning when the first characteristic data associated with a usernamein the watch list differ from the first characteristic data collected bythe Traffic Inspector when the respective user performs furtherauthentication to the online service.